Spammers abuse .gov URL shortener service in work-at-home scams
Open redirect vulnerabilities on .gov websites allow spammers to abuse .gov URL shortener service, Symantec researchers say
IDG News Service - Spammers have found a way to abuse a URL shortener service destined for U.S. government social media activities in order to craft rogue .gov URLs for work-at-home scams.
Security researchers from Symantec have detected a new email spam campaign that tries to trick users into visiting URLs with the 1.usa.gov domain name. This domain was created as the result of a partnership between the USA.gov, the U.S. government's official Web portal, and the Bitly URL shortener service.
According to a how-to page on USA.gov, when anyone uses Bitly.com to shorten URLs that end in .gov or .mil, the service will generate shorts URL under the 1.usa.gov domain.
"A short URL could take a user to a trustworthy site or a spam site, but a user would have no way of knowing before he or she clicks. That's why USA.gov has made it easy for people to create short, trustworthy .gov URLs that only point to official U.S. government information," the Web page explains.
However, it seems that spammers have figured out a way to abuse the service and the inherent trust associated with .gov URLs by exploiting open redirect scripts found on some .gov websites.
Redirect scripts are used by website owners to track clicks to third-party URLs listed on their websites, to display warnings to users that they are leaving the website or for other purposes. However, these scripts are often left unprotected and open to any destination, which results in so-called open redirect vulnerabilities.
"By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website," Symantec researcher Eric Park said Friday in a blog post. In particular, the spammers used an open redirect script from the State of Vermont's Department of Labor website -- labor.vermont.gov, he said.
First, the spammers behind this campaign created scam websites masquerading as financial news sites that contain articles about work-at-home opportunities. This type of scam has been around for years and its goal is to convince users to pay for starter kits or service subscriptions that would allegedly allow them to start making money on the Internet by working from their home computer.
The scam websites used in this campaign were hosted on domains like consumeroption.net, consumerbiz.net, workforprofit.net, consumerneeds.net, consumerbailout.net and others.
The spammers exploited the open redirect vulnerability on the labor.vermont.gov website to create URLs of the form labor.vermont.gov/LinkClick.aspx?link=[scam website]. These URLs were then passed through Bitly in order to generate 1.usa.gov short URLs, therefore creating a two-step redirect chain.
"While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome," Park said.
Public statistics provided by the Bitly for the rogue 1.usa.gov URLs used in this spam campaign showed that the links had been clicked 43,049 times between Oct. 12 and Oct. 18, with a significant spike in click volume on Oct. 18.
"The top four countries on a daily basis were the United States, Canada, Australia, and Great Britain," Park said. "In aggregate, the United States made up the biggest slice with 61.7 percent of the clicks."
Gov URLs might inspire a higher degree of trust. However, users should always exercise caution when opening links, regardless of where they appear to be pointing to, Park said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
If you use ‘password,’ one the worst passwords, as your password, fail to keep antivirus protection updated and don’t bother to deploy security patches to close critical vulnerabilities, then maybe you should consider working for the cybersecurity-clueless federal government; you’d fit right in, according to Senator Tom Coburn's cybersecurity and critical infrastructure report.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
- This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses
- IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center
- IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results
- Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data
- HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data... All Government IT White Papers
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- All Government IT Webcasts